Home > Vulnerability Database > CVE-2021-20867

Mend.io Vulnerability Database

CVE-2021-20867

Good to know:

Date: December 13, 2021

Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in moving the field group which may allow a user to move the unauthorized field group via unspecified vectors.

Language: PHP

Severity Score

6.5

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-20867

Url: https://wordpress.org/plugins/advanced-custom-fields/

Url: https://www.advancedcustomfields.com/

Url: https://jvn.jp/en/jp/JVN09136401/index.html

Url: https://www.mend.io/vulnerability-database/CVE-2021-20867

Severity Score

6.5

Weakness Type (CWE)

Missing Authorization

CWE-862

Top Fix

Upgrade Version

Upgrade to version nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/wordpress-seo-18.1;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/ewww-image-optimizer-6.4.0;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/laravel-mix-6.0.32;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/wordpress-seo-16.1.1;nickfairchild/kynda - dev-dependabot/composer/composer/installers-1.12.0;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/alpinejs-3.4.1;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/tailwindcss-3.0.8;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/laravel-mix-6.0.16;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/tailwindcss-2.2.0;nickfairchild/kynda - no_fix;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/contact-form-7-5.4.2;nickfairchild/kynda - dev-dependabot/composer/laravel/sail-1.12.2;nickfairchild/kynda - dev-dependabot/composer/laravel/sail-1.12.6;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/contact-form-7-5.5.4;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/wordpress-seo-17.7;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/alpinejs-3.10.2;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/wordpress-seo-15.8;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/postcss-8.3.9;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/tailwindcss/aspect-ratio-0.3.0;nickfairchild/kynda - dev-dependabot/composer/laravel/sail-1.12.11;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/postcss-nested-5.0.6;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/speed-booster-pack-4.3.1;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/autoptimize-2.8.3;nickfairchild/kynda - dev-dependabot/composer/vlucas/phpdotenv-5.3.1;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/tailwindcss-3.0.15;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/ewww-image-optimizer-6.2.5;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/postcss-8.2.4;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/ewww-image-optimizer-6.1.1;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/contact-form-7-5.5.6;nickfairchild/kynda - dev-dependabot/composer/laravel/sail-1.10.1;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/autoprefixer-10.3.5;nickfairchild/kynda - v0.1;nickfairchild/kynda - dev-dependabot/composer/laravel/sail-1.13.8;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/tailwindcss-3.0.2;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/autoprefixer-10.3.1;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/postcss-8.2.6;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/laravel-mix-6.0.8;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/tailwindcss/forms-0.3.2;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/speed-booster-pack-4.5.0;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/tailwindcss-3.0.24;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/postcss-8.4.7;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/tailwindcss-2.2.8;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/wordpress-seo-16.7;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/wordpress-seo-17.4;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/tailwindcss-2.2.17;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/alpinejs-3.8.0;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/wordpress-seo-16.6;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/alpinejs-3.2.2;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/alpinejs-3.7.0;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/alpinejs-3.5.0;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/tailwindcss-2.1.1;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/alpinejs-3.3.4;nickfairchild/kynda - dev-dependabot/composer/laravel/sail-1.13.5;nickfairchild/kynda - dev-dependabot/composer/laravel/sail-1.9.0;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/duplicate-post-4.1.1;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/contact-form-7-5.5.2;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/alpinejs-3.3.1;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/autoprefixer-10.3.7;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/postcss-8.3.1;moncton/advanced-custom-fields-pro - v5.7.13;moncton/advanced-custom-fields-pro - no_fix;hipdevteam/advanced-custom-fields-pro - 5.4.4;hipdevteam/advanced-custom-fields-pro - 6.1.3;studiometa/advanced-custom-fields-pro - no_fix;studiometa/advanced-custom-fields-pro - 5.9.8;abetter/wordpress - no_fix;abetter/wordpress - 1.5.22;abetter/wordpress - 1.5.0;abetter/wordpress - 1.6.21;abetter/wordpress - 1.0.0;abetter/wordpress - 1.2.40;abetter/wordpress - 1.2.9;pixelstudio/advanced-custom-fields - 6.1.3;pixelstudio/advanced-custom-fields - 4.0.3;pixelstudio/advanced-custom-fields - 5.9.9;greenpeace/planet4-gpnordic-plugin-leads - v1.0.0;greenpeace/planet4-gpnordic-plugin-leads - no_fix;greenpeace/planet4-gpnordic-plugin-leads - v1.0.6;asas-virtuais/asas-virtuais-wp-core - 0.9.0;haittamaa/advanced-custom-fields-pro - no_fix;55digital/wordpress-template - no_fix;rbfraphael/wp-theme - dev-main;juvo/mail-editor - v2.0.0;juvo/mail-editor - dev-feature-show-placeholders;hipdevteam/hip-gatsby-theme - no_fix;wordpress-premium/advanced-custom-fields-pro - 5.9.9;wordpress-premium/advanced-custom-fields-pro - 6.0.3.1;wordpress-premium/advanced-custom-fields-pro - 6.1.6;wordpress-premium/advanced-custom-fields-pro - v3.6.10;millertchris/acf - no_fix;pixelstudio/acf - 6.1.3;pixelstudio/acf - 5.9.9;pixelstudio/acf - 4.0.3;greenpeace/planet4-gpnordic-plugin-gutenberg-blocks - dev-master;genesii/wordpress - 0.1;salvatori/svcms - no_fix;ketancit/citboilerplate - 1.0.3.1;ketancit/citboilerplate - 1.0.0;newcool/acf - no_fix;kviron/advanced-custom-fields - no_fix;snooper7/perfectwp - v1.1.4;wordpress-plugin/advanced-custom-fields-pro - no_fix;greenpeace/planet4-gpnordic-plugin-portrait - dev-page-template;greenpeace/planet4-gpnordic-plugin-portrait - no_fix;zalolorza/wordpress-theme-lib - no_fix;drozzi-pro/advanced-custom-fields - 6.1.6;h-enk/link-manager-free - no_fix;gohike/plugins - no_fix;kviron/acf-wordpress - no_fix

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	4.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	SINGLE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-20867

Good to know:

Date: December 13, 2021

Language: PHP

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?